You are on page 1of 5

19.12.

2007 EN Official Journal of the European Union C 309/1

IV
(Notices)

NOTICES FROM EUROPEAN UNION INSTITUTIONS AND BODIES

COURT OF AUDITORS

REPORT
on the annual accounts of the European Network and Information
Security Agency for the financial year 2006 together with the Agency’s
replies
(2007/C 309/01)

CONTENTS
Paragraph Page

INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 2
STATEMENT OF ASSURANCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 2
OBSERVATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9 2
Tables 1 to 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
The Agency’s replies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
C 309/2 EN Official Journal of the European Union 19.12.2007

INTRODUCTION 6. The Court has thus obtained a reasonable basis for the
Statement set out below:

1. The European Network and Information Security Agency


(hereinafter ‘the Agency’) was created by Regulation (EC) Reliability of the accounts
No 460/2004 of the European Parliament and of the Council of
10 March 2004 (1). The Agency’s main task is to enhance the The Agency’s accounts for the financial year ended 31 Decem-
capability of the Community to prevent and respond to network ber 2006 are, in all material respects, reliable.
and information security problems by building on national and
Community efforts.
Legality and regularity of the underlying transactions
2. Table 1 summarises the Agency’s competences and activi-
ties. Key data summarised from the financial statements drawn up The transactions underlying the Agency’s annual accounts,
by the Agency for the financial year 2006 is presented in Tables 2, taken as a whole, are legal and regular.
3 and 4 for information purposes.

The observations which follow do not call the Court’s State-


ment into question.
STATEMENT OF ASSURANCE

OBSERVATIONS
3. This Statement is addressed to the European Parliament
7. The implementation of the Agency’s budget for the finan-
and the Council in accordance with Article 185(2) of Council cial year 2006 shows a utilisation rate of 90 % of commitment
Regulation (EC, Euratom) No 1605/2002 of 25 June 2002 (2); it appropriations and 76 % of payment appropriations. There was
was drawn up following an examination of the Agency’s accounts, a concentration of transactions in the last quarter of the year. Fur-
as required by Article 248 of the Treaty establishing the European thermore, the weaknesses of the procedures for establishing the
Community. budget, led to a high number of transfers (4). Thus, the budgetary
principles of annuality and specification were not strictly
observed.
4. The Agency’s accounts for the financial year ended
31 December 2006 (3) were drawn up by its Executive Director, 8. The general accounting software used by the Agency
pursuant to Article 17 of Regulation (EC) No 460/2004, and sent makes it possible to amend entries without leaving an audit trail.
to the Court, which is required to give a statement of assurance Furthermore, a system for recording invoices that ensures the
on their reliability and on the legality and regularity of the under- accuracy of the financial information in the final accounts, has
lying transactions. not been established.

9. The internal control procedures required by the Financial


5. The Court conducted its audit in accordance with the IFAC Regulation to ensure transparency and sound financial manage-
and INTOSAI International Auditing Standards and Codes of Eth- ment have not yet all been documented. The Management Board
ics, insofar as these are applicable in the European Community did not formally adopt standards for internal control and the code
context. The audit was planned and performed to obtain reason- of professional ethics. Written instructions for archiving support-
able assurance that the accounts are reliable and that the under- ing documentation of transactions were missing. A financial
lying transactions are legal and regular. irregularities panel was not established.

This report was adopted by the Court of Auditors in Luxembourg at its meeting of
27 September 2007.

For the Court of Auditors


Hubert WEBER
President

(1) OJ L 77, 13.3.2004, p. 1.


(2) OJ L 248, 16.9.2002, p. 1.
(3) These accounts were drawn up on 1st July 2007 and received by the
Court on 5th July 2007. (4) During 2006, more than 45 transfers were made.
19.12.2007
Table 1
European Network and Information Security Agency (Heraklion)

Competences of the Agency Resources made available


Areas of Community competence Governance Products and services supplied
(Council Regulation (EC) No 460/2004 of 10 March 2004) to the Agency

EN
The representatives of the Mem- Objectives Tasks 1. Management Board 2006 final budget: Working groups
ber State governments have, by 1. The Agency enhances the The Agency: 1. It is composed of one rep- 6,9 (6,3) million euro (100 % Com- Three Working Groups on (a) Risk
common agreement, adopted a capability of the Community, resentative of each Member munity subsidy). management/Risk Assessment, (b) CERTS
(a) collects information on cur-
statement on the creation of a the Member States and the State, three representatives and (c) Regulatory Aspects of Network &
rent and emerging risks that Staff figures on 31 Decem-
European Network and Informa- business community to pre- appointed by the Commission, Information Security (RANIS).
could produce an impact on ber 2006:
tion Security Agency. The vent, address and respond to and three representatives,
electronic communications 44 (38) posts according to the
Agency should operate as a network and information secu- without the right to vote, each Publications
networks; establishment plan
point of reference and establish rity problems. of whom represents one of the Annual report,
confidence by virtue of its inde- (b) provides the European Parlia- posts occupied: 38 (35)
2. The Agency provides following groups: ENISA Quarterly (four Issues)
pendence, the quality of the ment, the Commission and
assistance and delivers advice (a) information and commu- 8 (15) other staff — Who’s Who on NIS database.
advice it delivers and the infor- European bodies or compe-
to the Commission and the tent national bodies with nication technologies Total staff: 46 (50) — 1 CD-ROM ‘ENISA inventory of CERT

Official Journal of the European Union


mation it disseminates, the
Member States on issues advice and assistance; industry; assigned to the following duties: activities in Europe’
transparency of its procedures
related to network and infor- (b) consumer groups; operational: 24 (22) — 1 CD-ROM ‘Raising Awareness in Infor-
and methods of operating, and (c) enhances cooperation between
mation security falling within mation Security, Insight and Guidance
its diligence in performing the actors in its field; (c) academic experts. administrative: 22 (28)
its competencies. for Member States’
tasks assigned to it. (d) facilitates cooperation on 2. Board members may be
3. The Agency develops a — Six Fact Sheets on ENISA and its activi-
(Council Decision of 19 Febru- common methodologies to replaced by alternates.
high level of expertise and uses ties
ary 2004, taken on the basis of address network and informa-
this expertise to stimulate 2. Executive Director — 30 press releases
Article 251 of the Treaty). tion security issues;
broad cooperation between 1. The Agency is managed by — The Permanent Stakeholders Group’s
actors from the public and pri- (e) contributes to awareness rais-
ing on network and informa- its Executive Director, who is (PSG) ‘Vision for ENISA’ –document
vate sectors. independent in the perfor-
tion security issues for all — The Draft ENISA Strategy 2008-2011
4. The Agency assists the mance of his duties. processed by the PSG and Management
users;
Commission, when called 2. The Executive Director is Board
upon, in developing Commu- (f) assists the Commission and
the Member States in relations appointed for a term of office — A Guide on how to set up a CERT
nity legislation in the field of of up to five years.
with industry; — A report on CERT co-operation
network and information secu-
rity. (g) tracks standards; — ‘A Users’ Guide: How to Raise Informa-
3. External audit
tion Security Awareness’
(h) advises the Commission on Court of Auditors.
research in the area of net- — Package ‘Information Security Aware-
work and information; 4. Internal audit ness Programmes in the EU — Insight
and Guidance for Member States’
(i) promotes risk assessment The Commission’s Internal
Auditor. — Collection of Best Practices — the
activities, on prevention solu-
‘ENISA Knowledgebase’
tions;
5. Discharge authority — Study on security and anti-spam mea-
(j) contributes to cooperation sures of providers
Parliament on a recommenda-
with third countries.
tion from the Council.
Cooperation with Member States and
other institutions
— 15 joint events with Member States
— eight responses to requests by Member
States and Institutions
Source: Information supplied by the Agency.

C 309/3
Table 2

C 309/4
European Network and Information Security Agency (Heraklion) — Implementation of the budget for the financial year 2006
(1 000 euro)

Revenue Expenditure
Appropriations carried over
Revenue entered Final budget appropriations
from previous financial year(s)
Source of revenue in the final budget Revenue collected Allocation of expenditure

EN
for the financial year carried
entered committed paid cancelled entered committed paid cancelled
over
Title I
Community subsidies 6 940 6 600 Staff 4 249 3 989 3 728 253 268 257 257 178 79
Title II
Other revenue 12 12 Administration 859 779 653 126 80 1 065 1 065 863 202
Title III
Operating activities 1 844 1 542 989 538 317 790 790 271 519
Total 6 952 6 612 Total 6 952 6 310 5 370 917 665 2 112 2 112 1 312 800

Official Journal of the European Union


Source: Data supplied by the Agency — These tables summarise the data provided by the Agency in its annual accounts. Revenue collected and payments are estimated on a cash basis.

Table 3 Table 4
European Network and Information Security Agency (Heraklion) European Network and Information Security Agency (Heraklion)
— Economic outturn account for the financial years 2006 and 2005 — Balance sheet at 31 December 2006 and 2005
(1 000 euro) (1 000 euro)

2006 2005 2006 2005


Operating revenue Non-current assets
Community subsidies 5 476 4 251 Intangible fixed assets 33 12
Tangible fixed assets 312 332
Other revenues 12 —
Current assets
Total (a) 5 488 4 251
Short-term receivables 56 13
Operating expenditure Cash and cash equivalents 2 519 2 510
Staff expenditure 3 100 1 040 Total assets 2 920 2 867
Fixed asset related expenditure 103 31 Current liabilities
Other administrative expenditure 1 515 1 563 Provisions for risks and charges 66 45
Operational expenditure 1 236 518 Accounts payable 2 224 1 724
Total (b) 5 954 3 152 Total liabilities 2 290 1 769
Net assets
Surplus /(deficit) from operating activities (c = a – b) – 466 1 099
Accumulated surplus/deficit 1 098 —
Financial operations revenue (e) — —
Economic result for the year – 468 1 098
Financial operations expenditure (f) –2 –1 Total net assets 630 1 098
Surplus /(deficit) from non-operating activities (g = e – f) –2 –1 Total liabilities and net assets 2 920 2 867
Economic result for the year (h = c + g) – 468 1 098

19.12.2007
Source: Data supplied by the Agency — These tables summarise the data provided by the Agency in its annual accounts: these accounts are drawn up on an accrual basis.
19.12.2007 EN Official Journal of the European Union C 309/5

THE AGENCY’S REPLIES

7. Being in its first full year of operation, the Agency inten- the Commission the project will be launched early in 2008. The
sified its activity in the second half of the year resulting in having system for recording invoices was revised before the preparation
many transactions in the last quarter. Also, in 2006, the position of the final accounts and is being applied since.
of budget officer remained vacant for more than five months
which affected the ability of the Agency to optimise planning and 9. ENISA will present to its Management Board for adoption
minimize the transfers for the year. standards for internal control as well as a code of ethics. The
executive director will put in place the organisational structure
8. ENISA has already applied for ABAC, the Commission’s and all the procedures and controls necessary to their
accounting software since 2005. Based on the schedule of implementation.